Incapsula Uncovers Botnet Used in Bank DDoS Attacks

Cloud-based web security and infrastructure provider Incapsula says they identified a botnet that they believe was used distributed denial of service (DDoS) attacks against US-financial institutions last year.

It all started when Incapsula's security team detected an abnormal number of security events involving a new client's website, according to the company's blog. When Incapsula intercepted the requests, it discovered numerous requests with encoded PHP code payload operating a backdoor to the client's site, Incapsula found.

The attackers were using the backdoor to use the small UK-based general-interest website as a bot taking part in a DDoS attack, Incapsula found. The site was receiving instructions to launch HTTP and UDP DDoS flood attacks against several U.S. banks, including PNC, HSBC and Fifth Third Bank.

Since Incapsula blocked the requests, it was difficult to gauge the scope of damage, but it was "safe to assume that it would be enough to seriously harm an average medium-sized Website," Incapsula said.

Attackers prefer Web servers over personal computers to launch stronger DDoS campaigns, as the servers are generally stronger machines with access to higher bandwidth, Incapsula said. Last fall, Radware first identified a DDoS toolkit that was being used to compromise servers in data centers to launch attacks against banks. In this attack, the PHP code was designed to multiply itself to take advantage of the full capacity available on the server.

"It was potentially capable of producing much more traffic volume than a regular 'old school' botnet zombie," Incapsula said.

Attackers were able to access these Web servers "through a security loophole in one of the sites," Incapsula said. In this incident, it appears the general-interest site was already compromised before signing up for Incapsula's services. The security team determined the site was breached because the administrator credentials were too simple: admin/admin.

"This is just another demonstration of how security in the Internet is always determined by the weakest link," Incapsula said.

The command-and-control server for this botnet turned out to be a Turkish e-commerce website. It appeared that much like the UK-site, this e-commerce site was also compromised by the attacker, whose location remains unknown.

"Simply neglecting to manage administrative password in a small site in the UK, can be very quickly be exploited by a Botnet shepherds operating obscurely out of Turkey to hurl large amounts of traffic at American banks," Incapsula said.

The attacks instructions were precisely timed, limited for periods that varied from 7 minutes to an hour, Incapsula found. The bots were working in “shifts" to maximize its efficiency, according to Incapsula. The bot would renew the attack just as the target would start to recover. Sometimes the site received instructions to attack other unrelated commercial and e-commerce sites, making it likely this was a "botnet for hire," the company said.

A hacking group called Izz ad-Din al-Qassam had claimed responsibility for the wave of DDoS attacks which successfully disrupted operations for major banks such as Bank of America, JPMorganChase, PNC Bank, and HSBC late last year. During the course of the attacks, customers were unable to perform any online banking tasks.

While the banks have said the outages affected only the sites and that user accounts were not compromised, that appears to not be the case. "These DDoS attacks have in fact led to or been associated with fraud and customer account takeover," said Gartner's Avivah Litan.

The Office of the Comptroller of the Currency also acknowledged the attacks and issued a warning. The alert, issued by the nation's banking regulator in December and addressed to the heads of national banks, federal branches and agencies, technology service providers, and other related organizations, warned about the wave of DDoS attacks against banking websites.

"Each of these groups had different objectives for conducting these attacks, ranging from garnering public attention to diverting bank resources while simultaneous online attacks were underway and intended to enable fraud or steal proprietary information,” the alert said.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.